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(57) ABSTRACT 

A network security system provides a complete, reactive, 
Network Intrusion Detection System (NIDS) designed to 
stop a would-be hacker from gaming unauthorized access by 
blocking their connectivity to a protected network at the first 
sign of malicious activity. The network security system 
utilizes a commercially available or open source NIDS that 
can detect patterns in TCP/IP activity as well as examining 
packet headers to detect probes and attempts to compromise 
systems. Hie network security system then modifies the 
return route from the "victim" protected network so that 
outbound packets are never returned to the attacker. 

26 Claims, 2 Drawing Sheets 
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NETWORK SECURITY SYSTEM 
PROTECTING AGAINST DISCLOSURE OF 
INFORMATION TO UNAUTHORIZED 
AGENTS 



FIELD OF THE INVENTION 

The present invention is directed to intrusion detection for 
a computer-based system and, more particularly, to a net- 
work security system protecting a network from disclosure 
of information in response to maleficent message. 

BACKGROUND OF THE INVENTION 

Computer networks provide connectivity between and 
among computer resources connected to the network and, 
typically, remote networks and devices. A private network 
may support computer resources at a single location, e.g., a 
local area network (LAN) or at multiple locations, e.g., a 
wide area network (WAN.) The network infrastructure may 
include one or more routers for directing messages between 
and among computer resources connected to the network, 
while gateways and/or bridges connect the LAN or WAN to 
other, typically remote networks. Often, the connection to 
remote networks is provided using open or public commu- 
nications network facilities such as the ubiquitous Internet. 

Once a private network is connected to an open network 
or otherwise provides open access to the network, security 
of the private network becomes a paramount concern. 
Typically, some form of "firewall" is required, i.e., a system 
that restricts access between a protected network and the 
Internet, or between other sets of networks. The firewall may 
be implemented using one or more systems including, for 
example, a screening router, dual homes and screen-host 
gateway, a screened-subnet, and an application-level gate- 
way (or proxy server.) Those skilled in the art of network 
security systems use these and other components and sys- 
tems to restrict access to a protected network. 

While certain components and systems provide some 
level of protection, there is increasing need for more sophis- 
ticated systems to help maintain network security. A network 
intrusion detection system (NIDS) provides capabilities to 
identify and respond to malicious or anomalous activities 
aimed at networked systems. Commercial products include 
AXENT® by Axent Technologies, Inc. (www.axent.com), 
Cisco® by Cisco Technology, Inc. (www.cisco.com), Cyber- 
Safe® by Cybersafe corporation (www.cybersafe.com), 
Safesuite® by Internet Security System, Inc. (ISS) 
(www.iss.net), and Shadow® (www.nswc.navy.mil/ISSEC/ 
CID). 

Further examples of network security systems are 
described in U.S. Pat. No. 5,414,833 of Hershey, et al. 
entitled "Network Security System And Method Using A 
Parallel Finite State Machine Adaptive Active Monitor And 
Responder" issued May 9, 1995; U.S. Pat No. 5,557,742 of 
Smaha, et al. entitled "Method And System For Detecting 
Intrusion Into And Misuse Of A Data Processing System" 
issued Sep. 17, 1996; U.S. Pat. No. 5,720,033 of Deo 
entitled "Security Platform And Method Using Object Ori- 
ented Rules For Computer-Based Systems Using UNIX- 
Line Operating Systems" issued Feb. 17, 1998; U.S. Pat. No. 
5,892,903 of Klaus entitled "Method And Apparatus For 
Detecting And Identifying Security Vulnerabilities In An 
Open Network Computer Communication System** issued 
Apr. 6, 1999; and U.S. Pat. No. 6,279,113 of Vaidya entided 
"Dynamic Signature Inspection-Based Network Intrusion 
Detection" issued Aug. 21, 2001. 
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While these security systems inspect data packets and 
messages to identify attempts to gain unauthorized access to 
a network, processing upon detection of a network intrusion 
may not foil the attempt In particular, prior art systems are 

5 divided into passive and reactive types. Passive systems 
monitor network traffic and generate notifications and 
reports that can be reviewed by security personnel. Reactive 
implementations perform all the functions of their passive 
counterparts but can also take immediate action to deny 
access to network resources. Most reactive NIDS systems 
are host based, the few network based implementations are 
bound to specific network hardware, specific network 
topologies, and work by completely filtering the offending 
party. Since the hosts appear unreachable to the attacker, 

15 reporting within the protected network is lost. 

Accordingly, a need exists for a device and method that 
protects a network from externally launched attacks while 
tracking and reporting such events. A further need exists for 
a device and method of providing network security protec- 

20 tion and reporting that is compatible with a wide range of 
NIDS. 

SUMMARY OF THE INVENTION 

The invention is a system for and method of monitoring 
traffic inbound to a protected network for any signs of 
25 malicious activity. Once an attack is detected, the system 
acts to prevent the attacker from retrieving any data from its 
target. 

According to one aspect of the invention, a network 

3Q security system includes a router connected to a protected 
network, the router configured to selectively route incoming 
messages to respective destinations on the protected network 
as addressed by the respective incoming messages. A net- 
work intrusion detection system (NIDS) connected to the 

35 protected network operates to detect any attack on the 
protected network associated with one or more of the 
incoming messages. A control system on the network oper- 
ates to cause the router to selectively redirect a reply 
message associated with the one incoming message to an 
alternate terminus on the protected network in response to 
the NIDS detecting the attack (i.e., an offending message). 

According to a feature of the invention, a Gate D server is 
connected to the protected network wherein the reply mes- 
sage associated with the offending incoming message is 

4S initially addressed to an offending off-network IP address 
associated with the incoming message prior to rerouting by 
the router. In this case, the GateD server stores (i) the 
offending IP address associated with the incoming message 
and (ii) a static route pointing the offending LP address to the 

50 alternate terminus on the protected network. 

According to another feature of the invention, the control 
system may further include a routing server storing a routing 
table. The routing server may include a GateD server. 
According to another feature of the invention, the control 

55 system may be configured to execute a network routing 
daemon that understands a plurality of protocols including at 
least one or more of BGP, EGP, RIP, RIP II, OSPF, and 
HELLO. In this case, the NIDS may be configured to 
monitor the incoming messages to detect predetermined 

50 patterns of TCP/IP activity indicative of the attack on the 
protected network. 

According to another feature of the invention, the NIDS 
may be configured to monitor packet headers of the incom- 
ing messages to detect probes. 

65 According to another feature of the invention, the NIDS 
may be configured to monitor the incoming messages to 
detect one of: 
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(i) a network resource anomaly including activity that is FIG. 1 is a simplified block diagram of a security system 
different from a predetermined normal behavior; and connected to a protected network for inhibiting return mes- 

(ii) a network resource misuse including activity corre- sages to an external node mounting an attack against the 
spending to known intrusion techniques, a known network; 

intrusion signature, and/or known system vulnerabili- 5 fig. 2 is a simplified block diagram of message rerouting 

ties. flow performed by a security system upon detection of an 

According to another feature of the invention, the NIDS attack on the protected network from an external node; and 

may be configured to notify the control system of detecting p\Q 3 is a flow chart of a method of detecting and 

the attack via a (i) system log (syslog) and/or (ii) Simple inhibiting reply messages to an attacking node or in response 

Network Management Protocol (snmp) trap. i° t0 ^ attack. 

According to another feature of the invention, the NIDS 

may be configured to minor ports addressable correspond- DETAILED DESCRIPTION OF THE 

ing to the destinations on the protected network. INVENTION 

According to another feature of the invention, the router A network tem according t0 the invention 

may include a routing table, the control system configured to 15 ^ a lete reactive> designed to stop a 

introduce to the router a preferred route into the routing would . be hacker ot « a hacker » from gaining unauthorized 

table. The preferred route is effective to selectively redirect access b bloc]d their conneclivitv to a prote cted network 

the reply message to the alternate terminus on the protected a , the flis , . of malicious activit ^ ne t W ork security 

network. The alternate terminus on the protected network m utUizes a commercially available or open source 

may be a system configured to analyze the reply message to 20 NIDS ^ ^ detec( ^ m Tcp/Ip activi M wel , M 

identify network vulnerabilities of the protected network. cxamimng packet headcrs to dctect probcs and altempts to 

Accordmg to another feature of the invention, the control com ise tems> it then modifics me retum route f rom 

system may be configured to put an Extenor Gateway me „ victim „ protected network ^ thal outbound packe t s are 

Protocol (EGP) neighbor corresponding to a destination of nevef returned , 0 ^ aHacker SuitaWe mj3S mc , ude 

the reply message into a down state and generate a corre- 2S cisco , & NelRangerTM) jjFR Flight Recorder™, ODS 

spending ;egpNeighborLoss trap _ CMDS, ISS RealSecure SAFEsuite™, ShadowTM, Tripwire 

Accordmg to another feature of the invention, the^ control EDterplix -:M t NAI Cybercop™, AXENT OmniGuard™ and 

system may red.rect the reply message to the NIDS. The , nlruder AJert7Mj eTrust laausioa Detection™, CyberSafe 

NIDS may then operate to analyze the reply message to Security Dyn amics Kane Security Monitor™ 

identify network vulnerabilities. 30 aQC j otners 

According to another aspect of the invention, a network ' . . 4 . . ( , KTIf ^ 0 

f ■ i j a i a The network security system preferably includes a NIDS 

security system includes a protected network configured to , , , c /. J r , . . 1 

t J J u . , S , i -* £ fc j j a that is capable of sending external notifications via syslog, 

route a message between (i) a plurality of network nodes and r , . & . . , , n 

4 , 4 ° . i j * * * a * *u or snmp traps, and is compatible with a network configu- 

(n) at least one external node. A router connected to the *_ . _ j _ „ , 

v ' . ^ *u * i ration that utilizes the Border Gateway Protocol (BGP) for 

network receives the incoming message from the external 35 . _ . . , A , f. ^ v A i 

. j i i j/ j . | j routing. When an attack is detected, the return route from 

node and selectively route it to the addressed network node. . . * ^- t i t • i 

a xxmc *u • ♦ »u » » j machines (i.e., nodes) in the protected network is modified. 

A NIDS monitors the incoming message to the protected u , > ' . y r 

A „„_ Tr • , M °. f _ , _ -„ Modification or the return route to circumvent responding to 

network and provides an indication ot an attempt to gain , ... , , . . r , n ? 

• j „ . a the attach is an improvement over designs that simply niter 

unauthorized access to the protected network. A control . _ . . r . . -„ , . , . 

„ i ^ *u An the attacker because, while hosts will appear unreachable to 

system is responsive to an attack so as to cause the router to 40 ~r aita ^ vl ^. . ^ " j F t T - "\ , 

■i . • i » • . . c , j them, reporting within the protected network is not lost, 

selectively redirect to a one of the network node on the ^_ j * * ** i »u , 

t „ , J ^ , , ■ * j -.u *u Thus, once the NIDS detects an attack, the network security 

protected network a reply message associated with the ' t . t . „ . - ^ . . , / 

f * fu xtti^o j i i* *u system acts to prevent the attacker from retrieving any data 

incoming message in response to the NIDS detecting the » . — j . . • j .-n 

attack from its target. However, servers on the protected can still 

8 According to another aspect of the invention, a method of 45 «~ *• -itempted attack^ but no data wiU be sent back to the 

operating a network security system includes a step of a,tacker - ° nc * » n a " acker 15 lts ld f a W 

i *- i *■ • • * ' a * ' communicated to other network security systems on other 

selectively routing a message incoming to respective desti- . ux . , , , „ , , r 

J * * j *. i a ♦ *j ♦ *♦ i networks to black hole the attacker from receiving 

nations on a protected network. A step of detecting an attack & 

on the protected network associated with one of the incom- responses. 

ing messages initiates a selective redirection of a reply SO Referring to FIG. 1, a protected network 101 includes a 

message associated with the associated incoming message to Polity of machines or nodes 102-105. Although depicted 

a destination on the protected network (instead of to the m me P resent illustration as personal computers, the nodes 

external address) in response to the step of detecting the ma y be aov addressable device, system, subnetwork, router, 

attac j L gateway or similar device or structure. Nodes 102-105 are 

Additional objects, advantages and novel features of the 55 connected to each other and to router 107 via a communi- 

invention will be set forth in part in the description which cations infrastructure such as wide area network (WAN) 

follows, and in part will become apparent to those skilled in ia6 - WAN 106 ma y be an V suitable network architecture 

the art upon examination of the following or may be learned including, for purposes of example only, an Ethernet based 

by practice of the invention. The objects and advantages of system. 

the invention may be realized and attained by means of the 60 Router 107 may also include a gateway functionality to 

instrumentalities and combinations particularly pointed out interconnect WAN 106 to Internet 111. Router 107 may be 

in the appended claims. a conventional device compatible with BGP such as sold by 

Cisco® and others. NIDS 110 is placed in a position to 

BRIEF DESCRIPTION OF DRAWINGS monitor all incoming traffic to protected network 101. This 

The drawing figures depict the present invention by way 65 is achieved by mirroring the ports used by inbound traffic on 

of example, not by way of limitations. In the figures, like router 107. Multiple NIDS may be required depending on 

reference numerals refer to the same or similar elements. the amount of incoming traffic and the capacity of the server. 



01/21/2004, EAST Version: 1.4.1 



US 6,6; 

5 

A network security controller 108 preferably runs a GateD 
server, and is configured as a BGP peer to the router. 
Network security controller 108 may be implemented on a 
conventional platform such as a personal computer, 
workstation, dedicated processor, system, etc. 

As one skilled in the art would understand, the GateD 
server portion of security controller 108 is a modular soft- 
ware program consisting of core services, a routing 
database, and protocol modules supporting multiple routing 
protocols including RIP versions 1 and 2, DCN HELLO, 
OSPF version 2, EGP version 2 and BGP version 2 through 
4 (the last being preferred in the present embodiment). Using 
GateD a network administrator and/or network security 
controller 108 can control import and export of routing 
information by individual protocol, by source and destina- 
tion autonomous system, source and destination interface, 
previous hop router, and specific destination address. The 
network administrator and network security controller 108 
can further specify a preference level for each combination 
of routing information being imported by using a flexible 
masking capability. Once the preference levels are assigned, 
GateD makes a decision on which route to use independent 
of the protocols involved. Accordingly, GateD capabilities to 
handle dynamic routing with a routing database built from 
information exchanged by routing protocols allows network 
security controller 108 to readily redefine routing as neces- 
sary to circumvent completion of a reply message to an 
attacker. 

The Border Gateway Protocol (BGP) is an inter- 
Autonomous System routing protocol having the capability 
to exchange network reachability information with other 
BGP systems. This network reachability information 
includes information on the list of Autonomous Systems 
(ASs) that reachability information traverses. A Border 
Gateway Protocol 4 (BGP-4) is defined in RFC-1771 and 
related documents including RFC-1657; RFC-1772-1774; 
RFC-1965; RFC-1966; and RFC-1 996-1998. 

Referring to FIG. 2, and incoming message to the pro- 
tected network is received from, in this example, Internet 
111 and is routed to both router 107 and N1DS 110 as 
indicated by arrow 201. NIDS 110 monitors and analyzes the 
incoming message traffic for malicious activity. Detection of 
malicious activity may include anomaly detection and sig- 
nature recognition. Anomaly detection includes recognition 
of statistical anomalies by establishing a baseline of certain 
activities such CPU utilization, disk activity, user logins, file 
activity, etc. Then the NIDS responds to a deviation from 
this baseline. Signature recognition is based on examination 
of network traffic to identify known patterns of attack. This 
requires that, for each hacker technique, the NIDS must be 
programmed to recognize the technique. For example, sig- 
nature recognition may be implemented based on a pattern 
matching method. In this case, the NIDS examines all 
incoming packets for the pattern "/cgi-bin/phf?", which may 
be indicative of an attempt to access a vulnerable CGI script 
on a web-server. Other similar and more sophisticated 
techniques of analysis may also be employed. 

If NIDS 110 identifies the incoming message as an attack 
on the network, it generates an alert message to network 
security controller 108. In response, network security con- 
troller 108 manipulates updates in its GateD server to 
announce to router 107 a new route for the offending IP 
address. Whether or not a network intrusion or attack is 
detected, unless the message is itself harmful to the 
addressed node, the message is routed to the target node as 
shown by arrow 112. Alternatively, messages considered to 
be harmful to the network may be blocked from the network 
and/or the session can be forced to terminate. 
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After receipt and processing by the addressed node 102, 
103, 104 or 105, the node transmits back a reply message to 
the offending IP address. Typically, this IP address is the 
same as that of the originator IP address associated with the 

5 incoming message. However, having a new route designated 
for the offending IP address, router 107, rather than passing 
the message on to Internet 111, instead routes the message 
to network security controller 108 and a phantom node or 
"black hole" 112. Network security controller 108 can then 

10 coordinate with NIDS U0 to analyze the attack. 

The GateD server used as part of security controller 108 
is a BGP neighbor of all WAN routers on the network 
including router 107. If route -reflectors are used, then only 
a session with the route -reflectors is required. When NIDS 

15 110 announces an offending IP address to the GateD server 
of network security controller 108, the GateD server adds a 
static route to its tables which points the offending IP to the 
local interface. This route is then introduced into the routing 
tables of all WAN routers including router 107 and since it 

20 is a y32, it is preferred over all other routes. All offending 
traffic destined outside protected network 101 is then 
diverted to the GateD host, i.e., network security controller 
108. At that point, the traffic can be analyzed or simply 
discarded. This implementation allows the victim (e.g., node 

25 102, 103, 104 or 105) to see all incoming traffic. However, 
outgoing traffic from the victim that is used to discover and 
exploit vulnerabilities will never reach the attacker. For 
example, if a sweep is detected by NIDS 110, network 
security controller 108 immediately acts to block traffic so 

30 the attacker does not receive any responses. The attacker 
then cannot discover any information about the servers in 
the network and is forced to move on. 

A method according to the invention is presented in FIG. 
3. Therein after beginning the method at step 301, a message 

35 addressed to one of the nodes on the protected network is 
received at step 302. The NIDS makes an initial check at 
step 303 to determine whether the message is an intrusion 
attempt. The NIDS may check for activation such as a 
malicious pattern of TCP/IP activity (or equivalent in con- 

40 nection with other protocols). If the message does not 
represent an attack on the network, it is passed to the 
addressed node at step 304 and processing terminates until 
receipt of any next incoming message. Alternatively, if the 
message does represent a threat to the network or to a node 

45 on the network, then a check is performed at step 305 to 
determine if the message is so dangerous as to warrant 
blocking it from the network. Thus, inherently dangerous 
messages are trapped at step 306 or routed (possibly in an 
encapsulated form) to the NIDS for analysis and/or logging 

50 of the attempt. Messages which represent an intrusion attack 
but are eligible for routing to their destination node on the 
network are processed at step 307 to identify the offending 
IP address, e.g., the IP address of the message originator or 
other node to which a reply is to be directed by the target 

55 addressed node. Using the offending IP address, a trap or 
redirection based on the offending IP address is established 
at step 308. As detailed above, the trap or redirection is 
performed by the network security controller manipulation 
of updates in its GateD server to announce to router 107 a 

60 new route for the offending IP address. Once the redirection 
had been established, the message is passed to the target 
addressed node at step 309. 

Outgoing messages are monitored at step 310 for routing 
so that, effectively, the redirection causes the offending 

65 message to be captured instead of being routed to its original 
destination. At step 311 the offending message is analyzed to 
identify network vulnerabilities. 
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Although the present embodiment of the invention has ured to monitor said incoming messages to detect predeter- 

been described in terms of specific divisions of mined patterns of TCP/IP activity indicative of said attack 

functionalities, it is understood that other divisions and on the protected network. 

architecture may be implemented. For example, the N1DS, 7. The network security system according to claim 1 

security controller, and GateD functions may be provided on 5 wherein said network intrusion detection system is config- 

a single or multiple platforms in various combinations and urcd t0 mon it or packet headers of said incoming messages 

configurations. Further, while the present embodiment to detect probes 

depicts a single WAN as the protected network, the inven- g ^ netW0fk {cm according t0 claim x 

turn is applicable to LANs and multiple WANs ; of a variety wherein said Qetwork iatmk)n detection syslem is 

of configurations. Additionally, while a TCP/IP protocol is 1Q Ufed t0 monitor ^ inc0 mmg messages to detect one of: 

mentioned, the invention is applicable to a wide range of ,„ , .... 

data communications systems and methods. Thus, while the (l) " etw ?* resource anomaly mcludmg activity that is 

foregoing has described what are considered to be preferred ^ Kai ^ a P^etermmed normal behavior; and 

embodiments of the invention, it is understood that various (") a network resource misuse including activity corre- 

modifications may be made therein and that the invention sponding to known intrusion techniques, known intru- 

may be implemented in various forms and embodiments, sion signature, and/or known system vulnerabilities, 

and that it may be applied in numerous applications, only 9 - The network security system according to claim 1 

some of which have been described herein. It is intended by wherein said network intrusion detection system is config- 

the following claims to claim all such modifications and urcd to notif y said network security controller of detecting 

variations which fall within the true scope of the invention. said attack via one of a (i) system log (syslog) and (ii) 

It should further be noted and understood that all Sim P le Network Management Protocol (snmp) trap, 

publications, patents and patent applications mentioned in 10 ^ network security system according to claim 1 

this specification are indicative of the level of skill of those wherein said network intrusion detection system is config- 

skilled in the art to which the invention pertains. All ured to mirror P orts addressable corresponding to said 

publications, patents and patent applications are herein „ destinations on said protected network, 

incorporated by reference to the same extent as if each 11 ^ network sc^Y ***** according to claim 1 

individual publication patent or patent application was spe- wherein said router includes a routing table and said network 

cifically and individually indicated to be incorporated by controller is configured to introduce to said router a 

reference in its entirety. preferred route into said routing table, said preferred route 

What is claimed is- configured to selectively redirect said reply message to said 

1. A network security system for a protected network, 3 ° alteraale terminus on the protected network, 
comprising' The network security system according to claim 11 

a router connected to the protected network and config- wherein said alternate t ! nnin " s on th , e P^lec^d network 

ured to selectively route incoming messages to respec- comprises ;. system configured to analyze said reply mes- 

tive destinations on the protected network addressed by 35 SagC to ldentlf y ne,work "labilities of the protected 

respective ones of said incoming messages: n * , . „ , . 

XTTr 5^ j . j a_ 1 j c 13. The network security system according to claim 1 

a NIDS connected to the protected network and config- , . u . . J . J . . & , . . 

- j , , it _ a j i wherein said alternate terminus is said network intrusion 
ured to detect an attack on the protected network 

• . j c j • • a detection system, 

associated with one of said incoming messages: and i j t*. * i •* * j- * 1 • < 

. , , 14. The network security system according to claim 1 

a network security controller connected to the protected 40 wherein sajd altemate terminus comprises a node on ^ 

network and configured to cause said router to selec- protected network 

lively redirect to an alternate terminus a reply message 15 ^ ne , work tem accordiDg , 0 claim t 

associated with said one incoming message in response whefein sai(J contfol tem fa t0 put an 

to said network intrusion detection system detecting Ga , eway Protoco , ^ Gp) neighbor ^^dug t0 a des . 

said attack. ... 45 tination of said reply message into a down state and gener- 

2. The network security system according to claim 1 a , es a egpNeighborLoss trap. 

further comprising a GateD server connected to the pro- 16 ^ network system according to claim t 

tected network, wherein said reply message associated with wherein ^ network ± configured to 

said one incoming message is initially addressed to an redirect ^ , m e to said network intrusion 

offending IP address associated with said incoming message 50 ^ Qn svstcm 

prior to rerouting by said router and said GateD server is 17 ^ netwofk , em according to cIaim 16 

configured to store (i) said offending IP address associated wherein sM Qetwork detection system is 

with said incoming message and (u) a static route pointing ured to ^ saM j m e , 0 identify network 

said offending IP address to said alternate terminus on said vulnerabilities 

protected network. ss 18 . A network security system, comprising: 

3. The network security system according to claim 1 . , . , 

wherein said network security controller further comprises a a Protected network configured to route messages 

routing server storing a routing table. between « a P 1 ^ 1 * of Qetwork nodes 411(1 < u > at least 

4. The network security system according to claim 3 one exteraal aode i 

wherein said routing server comprises a GateD server. 60 a router connected to said protected network and config- 

5. The network security system according to claim 1 ured to receive incoming messages to said protected 
wherein said network security controller is configured to network from said external nodes and to selectively 
execute a network routing daemon that understands a plu- route said incoming messages to ones of said network 
rality of protocols including at least one of BGP, EGP, RIP, nodes addressed by respective ones of said incoming 
RIP II, OSPF, and HELLO. 65 messages; 

6. The network security system according to claim 1 a network intrusion detection system connected to said 
wherein said network intrusion detection system is config- protected network and configured to monitor said 
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incoming messages to said protected network and pro- said incoming message and (ii) a static route pointing said 

vide an indication of an attempt to gain unauthorized offending IP address to a local interface, 

access to said protected network; and 22. The method according to claim 19 wherein said 

a network security controller connected to said protected detecting step further comprises a step of detecting prede- 

network and configured to cause said router to selec- 5 tended patterns of TCP/IP activity indicative of said attack 

tively redirect a reply message associated with said one on s ^ protected network. 

incoming message in response to said network intm- 23 ^ method according to c i aim 19 wherein ^ 

sion detection system detecting said attack. , t A . A ? . c , A 

, C J . * . . . detecting step further comprises a step of detecting incoming 

19. A method of operating a network security system, f , , • 

comprising the steps of: 10 V™ h ™ t0 said P rotcctcd nctwork - . 

. t . . - - 24. The method according to claim 19 wherein said step 

selectively routing messages incoming to respective des- . . *. . 

tinations on a protected network; of redirecting further comprises a step of intro- 

* . . -...j^, . « ducing a preferred route into a routing table, said preferred 

detecting an attack on said protected network associated n . . - . ,. , 

with one of said incoming messages; and , , route configured to selectively redirect said reply message to 

...... . . j . i said alternate destination. 

selectively redirecting a reply message associated with ™ , , ■ . -.m- t 

said one incoming message to an alternate destination 25 " ^ method accordlQ g to claim 19 further comprising 

in response to said step of detecting said attack. a ste P of redirecting said reply message to a network 

20. The method according to claim 19 wherein said reply intrusion detection system. 

message is initially addressed to an offending IP address 2 o 26. The method according to claim 25 further comprising 

associated with said incoming message prior to said step of a step of analyzing said reply message to identify network 

selectively rerouting. vulnerabilities. 

21. The method according to claim 20 further comprising 

a step of storing (i) said offending IP address associated with ***** 
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